ERPNext API auth

Hi guys, 

According to this https://frappe.io/apps/frappe-framework/developers/api/rest_api , we would be login using API by calling to /api/method/login.
But what I don't understand is if client does not have session, we cannot really detect whether the subsequent API calls are authenticated, right ?

In that case, is there any recommendation ? I am thinking of using a generated token and keep passing that on subsequent calls. 
Will that be ok ? 

Thank you!!!



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/e6e3dcff-bbde-4891-b272-500b4d43b58b%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.
Use this:

https://github.com/frappe/frappe-client

(See the example)


On 04-Jul-2014, at 9:41 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi guys, 

According to this https://frappe.io/apps/frappe-framework/developers/api/rest_api , we would be login using API by calling to /api/method/login.
But what I don't understand is if client does not have session, we cannot really detect whether the subsequent API calls are authenticated, right ?

In that case, is there any recommendation ? I am thinking of using a generated token and keep passing that on subsequent calls. 
Will that be ok ? 

Thank you!!!



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/e6e3dcff-bbde-4891-b272-500b4d43b58b%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/8530B034-22D6-439E-ADBA-ED3AA4743C74%40gmail.com.

    For more options, visit https://groups.google.com/d/optout.
Hi rushabh, 

Thank you for this, but if my client side is using sth else and cannot have session ? Like using curl ?
Do you have any recommendation for server side to identify the session ?

Nathan


On Friday, July 4, 2014 1:08:52 PM UTC+8, rushabh wrote:
Use this:


(See the example)


On 04-Jul-2014, at 9:41 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi guys, 

According to this https://frappe.io/apps/frappe-framework/developers/api/rest_api , we would be login using API by calling to /api/method/login.
But what I don't understand is if client does not have session, we cannot really detect whether the subsequent API calls are authenticated, right ?

In that case, is there any recommendation ? I am thinking of using a generated token and keep passing that on subsequent calls. 
Will that be ok ? 

Thank you!!!



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/e6e3dcff-bbde-4891-b272-500b4d43b58b%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/82e6da14-ef93-4039-a81c-e19ee9c86cf9%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.


On 09-Jul-2014, at 9:51 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi rushabh, 

Thank you for this, but if my client side is using sth else and cannot have session ?

No then you can't you need to be authenticated!

Like using curl ?
Do you have any recommendation for server side to identify the session ?

Nathan


On Friday, July 4, 2014 1:08:52 PM UTC+8, rushabh wrote:
Use this:


(See the example)


On 04-Jul-2014, at 9:41 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi guys, 

According to this https://frappe.io/apps/frappe-framework/developers/api/rest_api , we would be login using API by calling to /api/method/login.
But what I don't understand is if client does not have session, we cannot really detect whether the subsequent API calls are authenticated, right ?

In that case, is there any recommendation ? I am thinking of using a generated token and keep passing that on subsequent calls. 
Will that be ok ? 

Thank you!!!



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/e6e3dcff-bbde-4891-b272-500b4d43b58b%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.




Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/82e6da14-ef93-4039-a81c-e19ee9c86cf9%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/6E9BE57D-AB58-4751-961B-4E1B4CC1AA76%40gmail.com.

    For more options, visit https://groups.google.com/d/optout.
Hi, 

I actually can get the sessionid and pass back to server on subsequent calls 
But then it's a bit insecure so I wanna encrypt/decrypt the id
Problem there is no way to set frappe.session.user directly in the API module function ?

Here is the gist of my code: https://gist.github.com/nathando/ecbbf41596b7eced9f45
Please ignore the 'fields', 'filters' settings 

Nathan

On Wednesday, July 9, 2014 1:09:35 PM UTC+8, rushabh wrote:


On 09-Jul-2014, at 9:51 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi rushabh, 

Thank you for this, but if my client side is using sth else and cannot have session ?

No then you can't you need to be authenticated!

Like using curl ?
Do you have any recommendation for server side to identify the session ?

Nathan


On Friday, July 4, 2014 1:08:52 PM UTC+8, rushabh wrote:
Use this:


(See the example)


On 04-Jul-2014, at 9:41 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi guys, 

According to this https://frappe.io/apps/frappe-framework/developers/api/rest_api , we would be login using API by calling to /api/method/login.
But what I don't understand is if client does not have session, we cannot really detect whether the subsequent API calls are authenticated, right ?

In that case, is there any recommendation ? I am thinking of using a generated token and keep passing that on subsequent calls. 
Will that be ok ? 

Thank you!!!



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/e6e3dcff-bbde-4891-b272-500b4d43b58b%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.




Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/82e6da14-ef93-4039-a81c-e19ee9c86cf9%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/6bcb0a97-f3ee-4843-9693-90292ca81b2e%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.
Hi, 

I actually can get the sessionid and pass back to server on subsequent calls 
But then it's a bit insecure

Not sure how this helps? If you are on an HTTPS connection, it is very hard to sniff your ID - if you are on HTTP - whether you generate a new token every time or not is easy to figure for a hacker.

so I wanna encrypt/decrypt the id
Problem there is no way to set frappe.session.user directly in the API module function ?

Please ignore the 'fields', 'filters' settings 

Nathan

On Wednesday, July 9, 2014 1:09:35 PM UTC+8, rushabh wrote:


On 09-Jul-2014, at 9:51 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi rushabh, 

Thank you for this, but if my client side is using sth else and cannot have session ?

No then you can't you need to be authenticated!

Like using curl ?
Do you have any recommendation for server side to identify the session ?

Nathan


On Friday, July 4, 2014 1:08:52 PM UTC+8, rushabh wrote:
Use this:


(See the example)


On 04-Jul-2014, at 9:41 am, Nguyen Do Le Bao <na...@gmail.com> wrote:

Hi guys, 

According to this https://frappe.io/apps/frappe-framework/developers/api/rest_api , we would be login using API by calling to /api/method/login.
But what I don't understand is if client does not have session, we cannot really detect whether the subsequent API calls are authenticated, right ?

In that case, is there any recommendation ? I am thinking of using a generated token and keep passing that on subsequent calls. 
Will that be ok ? 

Thank you!!!



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/e6e3dcff-bbde-4891-b272-500b4d43b58b%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.




Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/82e6da14-ef93-4039-a81c-e19ee9c86cf9%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.




Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/6bcb0a97-f3ee-4843-9693-90292ca81b2e%40googlegroups.com.

    For more options, visit https://groups.google.com/d/optout.



Note:

 

If you are posting an issue,

  1. We should be able to replicate it at our end. So please give us as much information as you can. Please see it from the point of view of the person receiving the communication.
  2. Paste your code at http://pastebin.com or http://gist.github.com and send only the URL via email
  3. For sending images, use http://imgur.com or other similar services. Do not send images as attachments. Links are good. Same goes for any file you are going to send.

     

    End of Note



    You received this message because you are subscribed to the Google Groups “ERPNext Developer Forum” group.

    To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer-forum+un…@googlegroups.com.

    To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-developer-forum/14AF707C-4EDF-4634-A4E7-01E13843C34A%40gmail.com.

    For more options, visit https://groups.google.com/d/optout.

Rushabh,

Is login mandatory for using the API ? Can you use the API only with authenticate method?

What we are seeing it appears it is impossible to use the API without using login first. We are getting the following error:

{
“exc”:"[“Traceback (most recent call last):
\n File \”/opt/bitnami/apps/erpnext/htdocs/frappe-bench/apps/frappe/frappe/app.py\", line 64, in application
\n response = frappe.api.handle()
\n File \"/opt/bitnami/apps/erpnext/htdocs/frappe-bench/apps/frappe/frappe/api.py\", line 59, in handle
\n return frappe.handler.handle()
\n File \"/opt/bitnami/apps/erpnext/htdocs/frappe-bench/apps/frappe/frappe/handler.py\", line 24, in handle
\n data = execute_cmd(cmd)
\n File \"/opt/bitnami/apps/erpnext/htdocs/frappe-bench/apps/frappe/frappe/handler.py\", line 61, in execute_cmd
\n is_whitelisted(method)
\n File \"/opt/bitnami/apps/erpnext/htdocs/frappe-bench/apps/frappe/frappe/handler.py\", line 71, in is_whitelisted
\n raise frappe.PermissionError(‘Not Allowed, {0}’.format(method))
\nfrappe.exceptions.PermissionError: Not Allowed, <function get_logged_user at 0x7f2089d60680>
\n"]","_server_messages":"["{\“message\”: \“Not permitted\”}"]"
}


It appears the ERPNext server requires a session. But then what is the point of authenticate method? We would like to just use authenticate method to call API methods.